Filed under: Analysis / Opinion, OS, Software, Apple
"The Month of Apple bugs" begins, rationality surrenders
Kevin Finisterre and someone we only know as "LMH" have launched the Month of Apple Bugs, a site they dub a 'project' with the supposed goal of publishing bugs, hacks and exploits they have found in If you're the type who enjoys cliff notes, let me summarize my feelings about the decision Kevin and "LMH" have made with this site: I spent almost all of last night sketching and brainstorming ideas, but I honestly can't think of anything more pathetically ego-massaging or FUD-drudging one could do with this information outside of writing, directing and starring in a horror movie about code exploits. Thankfully, I wager such a movie wouldn't do so well at the box office.
Let me be clear: if these guys have actually found enough problems with software (be it Apple's or otherwise) to fill a whole month of releases, I honestly and sincerely thank them - they can help whoever makes that software to make it better. What is so horrendously wrong with this 'project' is that they're stirring up hype and making news headlines with these exploits, instead of sticking with the traditional and ethical practices of reporting and discussing these bugs with the relevant parties.
Who knows, maybe they already filled out the form (though after reading FAQ #4, I doubt it), but publishing this information and landing themselves all over digg and Yahoo! News isn't going to accomplish anything productive. They complain about slow processes and being annoyed at auto-responders to bug reports but they fail to offer any legitimate reason or positive justification for publishing code like this. Patience and civility are virtues, and while I can completely understand being annoyed at faceless bureaucratic processes that fail to tingle the 'hooray I did something good!' bone, publishing this code in this manner has absolutely no positive merit for anyone, and causes nothing but undue harm to the Mac community they so smugly feign an interest in.
But I would hate to end on such a bad note. Instead, I'll promise to stomp my feet about this 'project' as little as possible, as we at TUAW would rather focus on the positive. Over the month, we'll offer context and solutions for the bugs Mr. Finisterre and "LMH" publish, in an effort to help the Mac web create something positive out of this questionable month-long bug report. Stay tuned.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Zeke Zander said 7:38AM on 1-03-2007
I think they're trying to help. OS X is gaining market share and it would be good to get these problems taken care of before we are attacked. Plus we all know what would happen to these folks if they would go to apple with this information, cmon - lawyer city!
Reply
Edward said 7:56AM on 1-03-2007
Their second "bug" is a bug in an open source project and I think they should have followed the projects bug reporting routines...or even better, fixed it for them.
http://www.videolan.org/support/index.html
But, as you say, they are in for it for the hype...what else?
Reply
David Chartier said 7:57AM on 1-03-2007
#1: How exactly does publishing 0-day exploits on the internet 'help?' These guys are putting malicious code into the hands of anyone who would like to use it.
The traditional and proper method for actually trying to help with fixing code like this is alerting people who own the software, i.e. - *the people who can fix it.* Not putting it online for the world to see and for anyone with a chip on their shoulder to *take advantage of it.*
Reply
Chintan Amin said 8:13AM on 1-03-2007
Wow, I beat you guys to the punch!
http://dotblawg.blogspot.com/2007/01/month-of-apple-bugs-project-fails-on.html
Reply
Alex Morse said 8:14AM on 1-03-2007
With apple gaining so much ground into the home pc market, it was bound to happen sooner or later. It's unfortunate that a lot of people will paint or view this in a bad light "A whole month of bugs in apple software!? Gasp, I better not switch."
I wonder if they're going to follow up with a month of Vista.
Reply
Peter van Impelen said 8:16AM on 1-03-2007
Help is at hand :
http://landonf.bikemonkey.org/code/macosx/
Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released.
Reply
C. Ford said 8:21AM on 1-03-2007
They're spending the rest of '07 on Vista. At least that's what I heard...
Reply
El Segundo said 9:28AM on 1-03-2007
They should start on "60 months of Vista bugs" February 1st.
Reply
Steve said 10:03AM on 1-03-2007
I think it's a good idea. I believe most Apple users are upset about the publicity, but they are doing this to get the attention necessary for the problems to be addressed by Apple. Being incognito and sending the problems directly to Apple may or may not result in them being addressed. It's better to beat the hackers to the punch than the other way around.
Reply
Alex said 10:03AM on 1-03-2007
So I went and tried the first exploit. He specified it had to be on an x86 mac, so I tried it on my macbook. It didn't work. It did crash quicktime, but it didn't attempt to execute anything.
Reply
Clair said 10:09AM on 1-03-2007
I know OS X is far from being without problems, but it seems as though they're already grasping at straws. I hope they're leaving the "best" for last.
Perhaps it is the way the site has been portrayed, but I also feel this is nothing but a publicity stunt.
Reply
Jordan said 10:53AM on 1-03-2007
Full disclosure is the fastest way of getting an exploit patched. Period.
Reply
eric said 10:56AM on 1-03-2007
no doubt these guys are looking for their 15 minutes and some job offers.
Reply
Adrian said 11:10AM on 1-03-2007
Has anyone tried that Quicktime fix that Landon Fuller developed? I already have Application Enhancer installed. But I didn't know if I should try that fix or not.
Reply
Jason said 11:24AM on 1-03-2007
Yes, perpetuate the hype by posting here. :P Hopefully something good will come of this.
And as for being positive, try to stop with the Zune and Vista criticism. There's no need for clever little asides or anything of that nature in TUAW posts. We all know they are playing catchup, even though they have most of the market. Let's just leave it at that.
Reply
David Chartier said 11:37AM on 1-03-2007
#12: *Full disclosure to Apple* Jordan, the people who can **do** something about these problems. No one, and I mean no one, has provided a legitimate, positively productive reason for unleashing this information on an audience that includes people who don't understand what's going on here, as well as those who *do* and can use this information for malicious purposes. Apple can fix these problems. Unless you are, for example, the QuickTime engineer who slipped up and created the problem they posted on their first day, there is absolutely no reason for you to have 'full disclosure' on what it actually is. A solution or a workaround to plug the leak it causes, sure, but not the whole 9.
Reply
Jon said 11:39AM on 1-03-2007
What bothers me the most is the fact that they're calling this the "Month of Apple Bugs" to gain headlines when it clearly isn't. I don't know how they can justify posting bugs for other software...... oh wait, there aren't enough bugs in Apple software to fill the whole month. But never mind, calling it the Month of Apple Bugs will get more headlines.
Btw, what's the point of a publicity stunt if you remain anonymous?
Reply
Alex said 12:57PM on 1-03-2007
It's also important to note that "vulnerability" is very different from "risk".
Quicktime (and VLC) exploits are, right now, pretty low risk issues. Yes exploit is *possible* and maybe even some automated attack vector could be built. But if their purpose was to show that OS X was a risky operating environment - until the threat landscape changes - the Month Of Apple Bugs project is a dismal failure so far.
Reply
Thomas said 2:02PM on 1-03-2007
The second one isn't Apple software or even Mac only - according to the site it's been confirmed on the Windows version of VLC.
Reply
Leonard Nimrod said 2:12PM on 1-03-2007
FACTS:
- A bug is not a security hole.
- There are a lot more than 31 bugs in OS X.
- This will help Apple make a more stable OS X in the long run.
Reply